华为Eudemon配置文档
Eudemon防火墙的双机热备份需要三个协议的支持:
VRRP(Virtual Router Redundancy Protocol)是由RFC2338定义的一种容错协议,通过实现物理设备和逻辑设备的分离,实现在多个出口网关之间进行选路。 VGMP(VRRP Group Management Protocol)是华为公司为防止VRRP状态不一致现象的发生,在VRRP的基础上自主开发出的扩展协议。该协议负责统一管理加入其中的各备份组VRRP的状态。
HRP(Huawei Redundancy Protocol)协议用来进行防火墙的动态状态数据的实时备份。
此配置文档适用于不支持VGMP的Eudemon系统版本,该系统默认有master和slave两个管理组,master用于管理主防火墙VRRP备份组,slave用于管理备防火墙VRRP备份组,主要区别体现在它们的优先级上。
一、Eudemon双机配置的二个步骤如下:
1、接口划分和VRRP备份组配置 [Eudemon]firewall zone trust [Eudemon-zone-untrust] add interface GigabitEthernet0/0/0 [Eudemon]firewall zone untrust [Eudemon-zone-untrust] add interface GigabitEthernet5/0/0 [Eudemon]firewall zone dmz [Eudemon-zone-dmz] add interface GigabitEthernet0/0/1
[Eudemon-zone-dmz] add interface GigabitEthernet6/0/0
注:Eudemon防火墙默认有四个区域,local(本机)、untrust(连接外网)、trust(连接内网)、dmz(中立区),安全级别系数分别是100、
5、8
5、50,这四个默认区域不能删除,也不能修改安全级别系数;并且四个区域默认是不允许所有IP进行互访的。
[Eudemon]interface GigabitEthernet0/0/0 [Eudemon-GigabitEthernet0/0/0]ip addres 10.154.164.251 24 [Eudemon-GigabitEthernet0/0/0]vrrp vrid 1 virtual-ip 10.154.164.253 master
#备机配置时修改接口IP,关键词由master变为slave,下同 [Eudemon-GigabitEthernet0/0/0]undo shutdown [Eudemon]interface GigabitEthernet0/0/1
[Eudemon-GigabitEthernet0/0/1]ip addres 10.155.80.1 28
[Eudemon-GigabitEthernet0/0/1]vrrp vrid 2 virtual-ip 10.155.80.3 master
[Eudemon-GigabitEthernet0/0/1]undo shutdown [Eudemon]interface Gigabi tEthernet5/0/0 [Eudemon-GigabitEthernet5/0/0]ip addres 10.0.0.251 24
[Eudemon-GigabitEthernet5/0/0]vrrp vrid 3 virtufal-ip 10.0.0.202 master
[Eudemon-GigabitEthernet5/0/0]undo shutdown [Eudemon]interface GigabitEthernet6/0/0
#用于双机的心跳线 [Eudemon-GigabitEthernet6/0/0]ip addres 172.16.0.1 24
[Eudemon-GigabitEthernet6/0/0]vrrp vrid 4 virtual-ip 172.16.0.3 master
[Eudemon-GigabitEthernet6/0/0]undo shutdown
2、HRP配置
[Eudemon]hrp enable
#启用HRP功能
HRP_M[Eudemon]hrp interface GigabitEthernet6/0/0
#配置备份会话表的接口
HRP_M[Eudemon]hrp auto-sync
#同时启动配置命令和连接状态的自动备份
HRP_M[Eudemon]hrp configuration check {hrp|acl}
#主备防火墙一致性检查 HRP_M[Eudemon]display hrp configuration check {all|acl|hrp}
#查看检查结果 注:主备防火墙的配置基本一样,主要区别在于接口实际IP和管理组,在使用命令hrp enable后,主机的[Eudemon]前面会HRP_M标识,备机[Eudemon]前面会有HRP_S标识。下图是检查结果一致的截图。
当然也可通过在主机上添加ACL,在备机上查看是否有同样的ACL来验证双机配置是否正确;同样还要进行双机切换测试。
二、地址集和端口集配置
将要进行同一动作的地址和端口加入到同一个集合中,这样方便策略了叙写,也减少了ACL的条数。
HRP_M [Eudemon] ip addre-set mwa addre 0 10.0.0.233 0
# ’0’为0.0.0.0的缩写,标识这个IP为一个主机,下同 addre 1 10.0.0.50 0
HRP_M [Eudemon]ip addre-set mwb addre 0 10.0.0.50 0 addre 1 10.0.0.51 0
HRP_M [Eudemon]ip addre-set zca addre 0 10.154.164.103 0 addre 1 10.154.164.104 0 HRP_M [Eudemon]ip addre-set zcb addre 0 10.154.164.98 0
addre 1 10.154.164.108 0
HRP_M [Eudemon]ip addres-set nat addre 0 10.0.0.242 0 addre 1 10.0.0.243 0 HRP_M [Eudemon]ip port-set fwdk protocol tcp port 0 eq 211 port 1 eq 1521
port 2 range 6789 6790
三、策略配置
HRP_M[Eudemon]acl number 3001 HRP_M[Eudemon-acl-adv-3001] rule 0 permit tcp source 10.0.0.54 0 destination 10.154.164.98 0 destination-port eq 1521
#规则0允许主机10.0.0.54访问主机10.154.164.98的1521端口
HRP_M[Eudemon-acl-adv-3001] rule 1 permit tcp source 10.0.0.54 0 destination 10.154.164.98 0 destination-port eq h HRP_M[Eudemon-acl-adv-3001] rule 2 permit ip source addre-set mwa destination addre-set zca HRP_M[Eudemon-acl-adv-3001] rule 3 permit tcp source addre-set mwa destination 10.154.164.98 0 destination-port range 6558 65535 HRP_M[Eudemon-acl-adv-3001] rule 4 permit tcp source addre-set mwa destination addre-set zcb destination-port eq 1521 HRP_M[Eudemon-acl-adv-3001] rule 5 permit tcp source addre-set mwb destination 10.154.164.109 0 destination-port port-set fwdk HRP_M[Eudemon-acl-adv-3001] rule 6 permit tcp source addre-set mwb destination 10.154.164.110 0 destination-port port-set fwdk HRP_M[Eudemon-acl-adv-3001] rule 7 permit tcp source 10.0.0.54 0 destination 10.154.164.110 0 destination-port eq h HRP_M[Eudemon-acl-adv-3001] rule 8 permit tcp source addre-set mwb destination 10.154.164.111 0 destination-port range 6789 6790 HRP_M[Eudemon-acl-adv-3001] rule 9 permit ip source any destination addre-set nat
HRP_M[Eudemon]acl number 3003
HRP_M[Eudemon-acl-adv-3003]rule 1 permit ip source any destination any
四、ACL应用
HRP_M[Eudemon]firewall packet-filter default permit interzone trust untrust direction outbound
#默认允许数据包从trust区域到untrust区域 HRP_M[Eudemon]firewall interzone untrust trust HRP_M[Eudemon-interzone-untrust-trust]packet-filter 3001 inbound
#将ACL 3001应用在untrust区域到trust区域入方向
HRP_M[Eudemon]firewall interzone trust untrust
HRP_M[Eudemon-interzone-trust-untrust]packet-filter 3002 outbound HRP_M[Eudemon]firewall interzone local dmz HRP_M[Eudemon-interzone-local-dmz]packet-filter 3003 inbound HRP_M[Eudemon-interzone-local-dmz]packet-filter 3003 outbound
HRP_M[Eudemon]firewall interzone local trust
HRP_M[Eudemon-interzone-local-trust]packet-filter 3003 inbound HRP_M[Eudemon-interzone-local-trust]packet-filter 3003 outbound HRP_M[Eudemon]firewall interzone local untrust
HRP_M[Eudemon-interzone-local-untrust]packet-filter 3003 inbound HRP_M[Eudemon-interzone-local-untrust]packet-filter 3003 outbound 备注: (1)入方向(inbound)
数据由低安全级别的安全区域向高安全级别的安全区域传输的方向。
(2)出方向(outbound)
数据由高安全级别的安全区域向低安全级别的安全区域传输的方向。
五、路由配置和NAT HRP_M[Eudemon]ip route-static 0.0.0.0 0.0.0.0 10.154.164.254
#添加默认路由 HRP_M[Eudemon]nat server global 10.0.0.58 inside 10.154.164.108 #将内部地址10.154.164.108转换成10.0.0.58 HRP_M[Eudemon]nat server global 10.0.0.109 inside 10.154.164.109 HRP_M[Eudemon]nat server global 10.0.0.110 inside 10.154.164.110 HRP_M[Eudemon]nat server global 10.0.0.111 inside 10.154.164.111 HRP_M[Eudemon]nat server global 10.0.0.241 inside 10.154.164.103 HRP_M[Eudemon]nat server global 10.0.0.242 inside 10.154.164.98 HRP_M[Eudemon]nat server global 10.0.0.243 inside 10.154.164.104
六、Telnet配置
进行Telnet配置,用于远程管理和维护
HRP_M system-view
HRP_M[Eudemon] aaa
#进入AAA视图 HRP_M[Eudemon-aaa] local-user sxit paword cipher sxit
#配置本地用户的用户名和密码,密码有明文和加密两种形式
HRP_M[Eudemon-aaa] local-user sxit service-type telnet #配置本地用户的类型 HRP_M[Eudemon-aaa] authentication-scheme sxit
#进入认证方案视图 HRP_M[Eudemon-aaa-authen-telnetuser] authentication-mode local radius # 配置认证方法
HRP_M[Eudemon] user-interface vty 0 4
# 进入VTY 0-4用户接口视图 HRP_M[Eudemon-ui-vty0-4] authentication-mode aaa
# 配置对用户的认证方式为AAA 备注:
AAA(认证Authentication,授权Authorization,记帐Accounting)
认证(Authentication):验证用户的身份与可使用的网络服务;
授权(Authorization):依据认证结果开放网络服务给用户;
计帐(Accounting):记录用户对各种网络服务的用量,并提供给计费系统。 常用的AAA协议是Radius,另外还有 HWTACACS协议(Huawei Terminal Acce Controller Acce Control System)协议。HWTACACS是华为对TACACS进行了扩展的协议。RADIUS基于UDP协议,而HWTACACS基于TCP协议。
RADIUS(Remote Authentication Dial In User Service)远程用户拨号认证系统,由RFC2865,RFC2866定义,是目前应用最广泛的AAA协议